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Abstract 



o 
o . 

, We introduce a logic for reasoning about evidence that essentially views evidence as 

a function from prior beliefs (before making an observation) to posterior beliefs (after 
making the observation). We provide a sound and complete axiomatization for the logic, 
■ and consider the complexity of the decision problem. Although the reasoning in the logic 

is mainly propositional, we allow variables representing numbers and quantification over 
them. This expressive power seems necessary to capture important properties of evidence. 



<^ ■ 1. Introduction 

q [ Consider the following situation, essentially taken from Halpern and Tuttle (1993) and 

Fagin and Halpern (1994). A coin is tossed, which is either fair or double-headed. The coin 
lands heads. How likely is it that the coin is double-headed? What if the coin is tossed 
20 times and it lands heads each time? Intuitively, it is much more likely that the coin 
is double-headed in the latter case than in the former. But how should the likelihood be 
measured? We cannot simply compute the probability of the coin being double-headed; 
assigning a probability to that event requires that we have a prior probability on the coin 
being double-headed. For example, if the coin was chosen at random from a barrel with 
one billion fair coins and one double-headed coin, it is still overwhelmingly likely that the 
coin is fair, and that the sequence of 20 heads is just unlucky. However, in the problem 
statement, the prior probability is not given. We can show than any given prior probability 
on the coin being double-headed increases significantly as a result of seeing 20 heads. But, 
^ ■ intuitively, it seems that we should be able to say that seeing 20 heads in a row provides 

a great deal of evidence in favor of the coin being double-headed without invoking a prior. 
There has been a great deal of work in trying to make this intuition precise, which we now 
review. 

The main feature of the coin example is that it involves a combination of probabilis- 
tic outcomes (e.g., the coin tosses) and nonprobabilistic outcomes (e.g., the choice of the 
coin). There has been a great deal of work on reasoning about systems that combine both 
probabilistic and nondeterministic choices; see, for example, Vardi (1985), Fischer and Zuck 
(1988), Halpern, Moses, and Tuttle (1988), Halpern and Tuttle (1993), de Alfaro (1998), 
He, Seidel, and Mclver (1997). However, the observations above suggest that if we attempt 
to formally analyze this situation in one of those frameworks, which essentially permit only 
the modeling of probabilities, we will not be able to directly capture this intuition about 
increasing likelihood. To see how this plays out, consider a formal analysis of the situation 
in the Halpern- Tuttle (1993) framework. Suppose that Alice nonprobabilistically chooses 
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one of two coins: a fair coin with probability 1/2 of landing heads, or a double-headed coin 
with probability 1 of landing heads. Alice tosses this coin repeatedly. Let tpk be a formula 
stating: "the fcth coin toss lands heads". What is the probability of (fk according to Bob, 
who does not know which coin Alice chose, or even the probability of Alice's choice? 

According to the Halpern-Tuttle framework, this can be modeled by considering the 
set of runs describing the states of the system at each point in time, and partitioning 
this set into two subsets, one for each coin used. In the set of runs where the fair coin 
is used, the probability of ipk is 1/2; in the set of runs where the double-headed coin is 
used, the probability of ifk is 1. In this setting, the only conclusion that can be drawn is 
(Prg(</?fc) = 1/2) V (PiB(<Pk) = !)• (This is of course the probability from Bob's point of 
view; Alice presumably knows which coin she is using.) Intuitively, this seems reasonable: 
if the fair coin is chosen, the probability that the fcth coin toss lands heads, according to 
Bob, is 1/2; if the double-headed coin is chosen, the probability is 1. Since Bob does not 
know which of the coins is being used, that is all that can be said. 

But now suppose that, before the 101st coin toss, Bob learns the result of the first 100 
tosses. Suppose, moreover, that all of these landed heads. What is the probability that the 
101st coin toss lands heads? By the same analysis, it is still either 1/2 or 1, depending on 
which coin is used. 

This is hardly useful. To make matters worse, no matter how many coin tosses Bob 
witnesses, the probability that the next toss lands heads remains unchanged. But this 
answer misses out on some important information. The fact that all of the first 100 coin 
tosses are heads is very strong evidence that the coin is in fact double-headed. Indeed, a 
straightforward computation using Bayes' Rule shows that if the prior probability of the 
coin being double-headed is a, then after observing that all of the 100 tosses land heads, 
the probability of the coin being double-headed becomes 

a _ 2 100 « 

a + 2- 100 (l - a) ~ 2 100 q + (1 - a) ' 

However, note that it is not possible to determine the posterior probability that the coin is 
double-headed (or that the 101st coin toss is heads) without the prior probability a. After 
all, if Alice chooses the double-headed coin with probability only 10~ 100 , then it is still 
overwhelmingly likely that the coin used is in fact fair, and that Bob was just very unlucky 
to see such an unrepresentative sequence of coin tosses. 

None of the frameworks described above for reasoning about nondeterminism and prob- 
ability takes the issue of evidence into account. On the other hand, evidence has been 
discussed extensively in the philosophical literature. Much of this discussion occurs in the 
philosophy of science, specifically confirmation theory, where the concern has been histori- 
cally to assess the support that evidence obtained through experimentation lends to various 
scientific theories (Carnap, 1962; Popper, 1959; Good, 1950; Milne, 1996). (Kyburg (1983) 
provides a good overview of the literature.) 

In this paper, we introduce a logic for reasoning about evidence. Our logic extends a 
logic defined by Fagin, Halpern and Megiddo (1990) (FHM from now on) for reasoning about 
likelihood expressed as either probability or belief. The logic has first-order quantification 
over the reals (so includes the theory of real closed fields), as does the FHM logic, for 
reasons that will shortly become clear. We add observations to the states, and provide an 
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additional operator to talk about the evidence provided by particular observations. We also 
refine the language to talk about both the prior probability of hypotheses and the posterior 
probability of hypotheses, taking into account the observation at the states. This lets us 
write formulas that talk about the relationship between the prior probabilities, the posterior 
probabilities, and the evidence provided by the observations. 

We then provide a sound and complete axiomatization for the logic. To obtain such an 
axiomatization, we seem to need first-order quantification in a fundamental way. Roughly 
speaking, this is because ensuring that the evidence operator has the appropriate properties 
requires us to assert the existence of suitable probability measures. It does not seem possi- 
ble to do this without existential quantification. Finally, we consider the complexity of the 
satisfiability problem. The complexity problem for the full language requires exponential 
space, since it incorporates the theory of real closed fields, for which an exponential-space 
lower bound is known (Ben-Or, Kozen, & Reif, 1986). However, we show that the satisfia- 
bility problem for a propositional fragment of the language, which is still strong enough to 
allow us to express many properties of interest, is decidable in polynomial space. 

It is reasonable to ask at this point why we should bother with a logic of evidence. Our 
claim is that many decisions in practical applications are made on the basis of evidence. 
To take an example from security, consider an enforcement mechanism used to detect and 
react to intrusions in a computer system. Such an enforcement mechanism analyzes the 
behavior of users and attempts to recognize intruders. Clearly the mechanism wants to 
make sensible decisions based on observations of user behaviors. How should it do this? 
One way is to think of an enforcement mechanism as accumulating evidence for or against 
the hypothesis that the user is an intruder. The accumulated evidence can then be used as 
the basis for a decision to quarantine a user. In this context, it is not clear that there is a 
reasonable way to assign a prior probability on whether a user is an intruder. If we want 
to specify the behavior of such systems and prove that they meet their specifications, it is 
helpful to have a logic that allows us to do this. We believe that the logic we propose here 
is the first to do so. 

The rest of the paper is organized as follows. In the next section, we formalize a notion 
of evidence that captures the intuitions outlined above. In Section 3, we introduce our logic 
for reasoning about evidence. In Section 4, we present an axiomatization for the logic and 
show that it is sound and complete with respect to the intended models. In Section 5, we 
discuss the complexity of the decision problem of our logic. In Section 6, we examine some 
alternatives to the definition of weight of evidence we use. For ease of exposition, in most 
of the paper, we consider a system where there are only two time points: before and after 
the observation. In Section 7, we extend our work to dynamic systems, where there can be 
multiple pieces of evidence, obtained at different points in time. The proofs of our technical 
results can be found in the appendix. 

2. Measures of Confirmation and Evidence 

In order to develop a logic for reasoning about evidence, we need to first formalize an 
appropriate notion of evidence. In this section, we review various formalizations from the 
literature, and discuss the formalization we use. Evidence has been studied in depth in the 
philosophical literature, under the name of confirmation theory. Confirmation theory aims 
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at determining and measuring the support a piece of evidence provides an hypothesis. As we 
mentioned in the introduction, many different measures of confirmation have been proposed 
in the literature. Typically, a proposal has been judged on the degree to which it satisfies 
various properties that are considered appropriate for confirmation. For example, it may be 
required that a piece of evidence e confirms an hypothesis h if and only if e makes h more 
probable. We have no desire to enter the debate as to which class of measures of confirmation 
is more appropriate. For our purposes, most confirmation functions are inappropriate: 
they assume that we are given a prior on the set of hypotheses and observations. By 
marginalization, we also have a prior on hypotheses, which is exactly the information we do 
not have and do not want to assume. One exception is measures of evidence that use the 
log-likelihood ratio. In this case, rather than having a prior on hypotheses and observations, 
it suffices that there be a probability fi^ on observations for each hypothesis h: intuitively, 
Hhiob) is the probability of observing ob when h holds. Given an observation ob, the degree 
of confirmation that it provides for an hypothesis h is 



where h represents the hypothesis other than h (recall that this approach applies only if 
there are two hypotheses). Thus, the degree of confirmation is the ratio between these 
two probabilities. The use of the logarithm is not critical here. Using it ensures that the 
likelihood is positive if and only if the observation confirms the hypothesis. This approach 
has been advocated by Good (1950, 1960), among others. 1 

One problem with the log-likelihood ratio measure I as we have defined it is that it can 
be used only to reason about evidence discriminating between two competing hypotheses, 
namely between an hypothesis h holding and the hypothesis h not holding. We would like 
a measure of confirmation along the lines of the log-likelihood ratio measure, but that can 
handle multiple competing hypotheses. There have been a number of such generalizations, 
for example, by Pearl (1988) and Chan and Darwiche (2005). We focus here on the gener- 
alization given by Shafer (1982) in the context of the Dempster-Shafer theory of evidence 
based on belief functions (Shafer, 1976); it was further studied by Walley (1987). The 
description here is taken mostly from Halpern and Fagin (1992). While this measure of 
confirmation has a number of nice properties of which we take advantage, much of the work 
presented in this paper can be adapted to different measures of confirmation. 

We start with a finite set H of mutually exclusive and exhaustive hypotheses; thus, 
exactly one hypothesis holds at any given time. Let O be the set of possible observations 
(or pieces of evidence). For simplicity, we assume that O is finite. Just as in the case of log- 
likelihood, we also assume that, for each hypotheses h £ H, there is a probability measure 
Hh on O such that ^h{°b) is the probability of ob if hypothesis h holds. Furthermore, we 
assume that the observations in O are relevant to the hypotheses: for every observation 
ob £ O, there must be an hypothesis h such that Hh(ob) > 0. (The measures fi^ are often 
called likelihood functions in the literature.) We define an evidence space (over H and O) 

1. Another related approach, the Bayes factor approach, is based on taking the ratio of odds rather than 
likelihoods (Good, 1950; Jeffrey, 1992). We remark that in the literature, confirmation is usually taken 
with respect to some background knowledge. For ease of exposition, we ignore background knowledge 
here, although it can easily be incorporated into the framework we present. 
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to be a tuple £ = (7i, 0,/j,), where fi is a function that assigns to every hypothesis h £ 7i 
the likelihood function /J.(h) = fih- (F° r simplicity, we usually write fih for fx(h), when the 
the function fj, is clear from context.) 

Given an evidence space £, we define the weight that the observation ob lends to hy- 
pothesis h, written ws(ob,h), as 

w £ {ob,h) = = — -. 1 

EveW Vh>(ob) 

The measure ws always lies between and 1; intuitively, if ws(ob,h) = 1, then ob fully 
confirms h (i.e., h is certainly true if ob is observed), while if ws(ob,h) = 0, then ob 
disconfirms h (i.e., h is certainly false if ob is observed). Moreover, for each fixed observation 
ob for which Y^iheH ^(ob) > 0> YlheH w ^i ^^ h) = 1> an d thus the weight of evidence 
u>£ looks like a probability measure for each ob. While this has some useful technical 
consequences, one should not interpret W£ as a probability measure. Roughly speaking, the 
weight ws(ob,h) is the likelihood that h is the right hypothesis in the light of observation 
ob. 2 The advantages of ws over other known measures of confirmation are that (a) it is 
applicable when we are not given a prior probability distribution on the hypotheses, (b) it 
is applicable when there are more than two competing hypotheses, and (c) it has a fairly 
intuitive probabilistic interpretation. 

An important problem in statistical inference (Casella & Berger, 2001) is that of choosing 
the best parameter (i.e., hypothesis) that explains observed data. When there is no prior 
on the parameters, the "best" parameter is typically taken to be the one that maximizes 
the likelihood of the data given that parameter. Since W£ is just a normalized likelihood 
function, the parameter that maximizes the likelihood will also maximize W£. Thus, if all 
we are interested in is maximizing likelihood, there is no need to normalize the evidence as 
we do. We return to the issue of normalization in Section 6. 3 

Note that if 7i = {hi,fi2}, then wg in some sense generalizes the log-likelihood ratio 
measure. More precisely, for a fixed observation ob, ws(ob, •) induces the same relative order 
on hypotheses as l(ob,-), and for a fixed hypothesis h, ws(-,h) induces the same relative 
order on observations as l(-,h). 

Proposition 2.1: For all ob, we have ws(ob,hi) > wg(ob, h^-i) if and only ifl(ob,hi) > 
l(ob,fi3-i), fori = 1,2, and for all h, ob, and ob' , we have ws{ob,h) > ws(ob',h) if and 
only ifl(ob,h) > l(ob',h). 



2. We could have taken the log of the ratio to make wg parallel the log-likelihood ratio I defined earlier, 
but there are technical advantages in having the weight of evidence be a number between and f . 

3. Another representation of evidence that has similar characteristics to we is Shafer's original representa- 
tion of evidence via belief functions (Shafer, 1976), defined as 

s, l l \ Vh(ob) 
w £ (ob,h) - 



max h6H Ph(o6) ' 



This measure is known in statistical hypothesis testing as the generalized likelihood-ratio statistic. It is 
another generalization of the log-likelihood ratio measure I. The main difference between wg and w§ is 
how they behave when one considers the combination of evidence, which we discuss later in this section. 
As Walley (1987) and Halpern and Fagin (1992) point out, we gives more intuitive results in this case. 
We remark that the parameter (hypothesis) that maximized likelihood also maximizes wf, so wf can 
also be used in statistical inference. 
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Although W£(ob, •) behaves like a probability measure on hypotheses for every observa- 
tion ob, one should not think of it as a probability; the weight of evidence of a combined 
hypothesis, for instance, is not generally the sum of the weights of the individual hypothe- 
ses (Halpern & Pucella, 2005a). Rather, u>s(ob,-) is an encoding of evidence. But what 
is evidence? Halpern and Fagin (1992) have suggested that evidence can be thought of as 
a function mapping a prior probability on the hypotheses to a posterior probability, based 
on the observation made. There is a precise sense in which ws can be viewed as a function 
that maps a prior probability /j,q on the hypotheses TL to a posterior probability fj, b based 
on observing ob, by applying Dempster's Rule of Combination (Shafer, 1976). That is, 

Hob = Ho®w £ {ob,-), (2) 

where © combines two probability distributions on TL to get a new probability distribution 
on TL defined as follows: 

(Dempster's Rule of Combination is used to combine belief functions. The definition of © is 
more complicated when considering arbitrary belief functions, but in the special case where 
the belief functions are in fact probability measures, it takes the form we give here.) 

Bayes' Rule is the standard way of updating a prior probability based on an observation, 
but it is only applicable when we have a joint probability distribution on both the hypotheses 
and the observations (or, equivalently, a prior on hypotheses together with the likelihood 
functions fj>h for h £ 7i), something which we do not want to assume we are given. In 
particular, while we are willing to assume that we are given the likelihood functions, we 
are not willing to assume that we are given a prior on hypotheses. Dempster's Rule of 
Combination essentially "simulates" the effects of Bayes' Rule. The relationship between 
Dempster's Rule and Bayes' Rule is made precise by the following well-known theorem. 

Proposition 2.2: (Halpern & Fagin, 1992) Let £ = (TL, O, /x) be an evidence space. Suppose 
that P is a probability on TL x O such that P(TL x {ob} \ {h} x O) = Hh{ob) for all h £ TL 
and all ob G O. Let /iq be the probability on TL induced by marginalizing P; that is, Ho(h) = 
P({h} x O). For ob € O, let fi ob = fi © w £ (ob, ■). Then n ob (h) = P({h} xO\TLx {ob}). 

In other words, when we do have a joint probability on the hypotheses and observa- 
tions, then Dempster's Rule of Combination gives us the same result as a straightforward 
application of Bayes' Rule. 

Example 2.3: To get a feel for how this measure of evidence can be used, consider a 
variation of the two-coins example in the introduction. Assume that the coin chosen by 
Alice is either double-headed or fair, and consider sequences of a hundred tosses of that coin. 
Let O = {m : < m < 100} (the number of heads observed), and let TL = {F, D}, where F 
is "the coin is fair" , and D is "the coin is double-headed" . The probability spaces associated 
with the hypotheses are generated by the following probabilities for simple observations m: 

. \ 1 /100\ . , f 1 if m = 100 

Mm) = W5 ( ) Mm) = \ Q otherwige _ 
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(We extend by additivity to the whole set O.) Take £ = (TL, O, /x), where n(F) = fip and 
fJ-(D) = fi£). For any observation m ^ 100, the weight in favor of F is given by 

1 /ioo\ 

WF ( m F ) = ™ = i 

which means that the support of m is unconditionally provided to F; indeed, any such 
sequence of tosses cannot appear with the double-headed coin. Thus, if m / 100, we get 
that 



wsim, D) = 1 = 0. 

U + 2^1 m ) 

What happens when the hundred coin tosses are all heads? It is straightforward to check 
that 



J_ l 1 2 ioo 



w £ (W0,F) = -^L = w £ (100,D 



1 + 5^ l + 2ioo > 1 + ^r 1 + 2 100 ' 

this time there is overwhelmingly more evidence in favor of D than F. 

Note that we have not assumed any prior probability. Thus, we cannot talk about the 
probability that the coin is fair or double-headed. What we have is a quantitative assessment 
of the evidence in favor of one of the hypotheses. However, if we assume a prior probability 
a on the coin being fair and m heads are observed after 100 tosses, then the probability 
that the coin is fair is 1 if m ^ 100; if m = 100 then, applying the rule of combination, the 
posterior probability of the coin being fair is a/ (a + (1 — a)2 100 ). □ 

Can we characterize weight functions using a small number of properties? More precisely, 
given sets TL and O, and a function / from O x TL to [0, 1], are there properties of / that 
ensure that there are likelihood functions fi such that / = W£ for £ = (TL,0,fx)7 As 
we saw earlier, for a fixed observation ob, f essentially acts like a probability measure on 
TL. However, this is not sufficient to guarantee that / is a weight function. Consider the 
following example, with O = {obi, ob 2 } and TL = {h\, h 2 , /13}: 

/(061,/n) = 1/4 f{ob 2 ,hi) = 1/4 
f{ob x ,h 2 ) = 1/4 f(ob 2 ,h 2 ) = 1/2 
f(oh,h 3 ) = 1/2 f(ob 2 ,h 3 ) = 1/4. 

It is straightforward to check that f(ob±,-) and f(ob 2 ,-) are probability measures on TL, 
but that there is no evidence space £ = (TL, 0,fi) such that / = wg. Indeed, assume that 
we do have such fi^, fih 2 , Hh 3 . By the definition of weight of evidence, and the fact that / 
is that weight of evidence, we get the following system of equations: 

tJ-h 1 (obi) =1/4 ^h 1 {ob2) =1/4 

Mhi (°&l)+A*h 2 ( ofc i)+Mfc 3 (obi) ' (ob 2 )+Hh 2 [ob 2 )+Hh 3 (062) ' 

_ 1 /. fth 2 (ob2) _ 1 /9 

V* it,.. (nh^+Hu-tnk^+uu-inh^ ~ V Z 



Hh 1 (ob 1 )+iJ. h2 (ob 1 )+tj. h3 (ob 1 ) I ^h l (ob 2 )+ii h2 (ob 2 )+ti h3 (ob 2 ) 

Hh 3 (obi) = 1/2 Vh :i (ob2) = 1/4 

fJ.h 1 (ob 1 )+^ h2 (obi)+^ h . i (ob 1 ) I ^h 1 (ob 2 )+fJ, h2 {ob 2 )+n h , A (ob 2 ) I 

It is now immediate that there exist ol\ and a 2 such that /ih^obj) = ajf(obj,hi), for 
i = 1,2, 3. Indeed, aj = fi^ (obj) + fih 2 (obj) + ^^(obj), for j = 1, 2. Moreover, since ^ is 
a probability measure, we must have that 

Vhi(obi) +lihi{ob 2 ) = aif(obi,hi) + a 2 f(ob 2 ,hi) = 1, 
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for i = 1,2,3. Thus, 

qi/4 + a 2 /4 = «i/4 + a 2 /2 = Qi/2 + q 4 /4 = 1. 

These constraints are easily seen to be unsatisfiable. 

This argument generalizes to arbitrary functions /; thus, a necessary condition for / to 
be a weight function is that there exists a« for each observation obi such that fih(obi) = 
&if(obi,h) for each hypothesis h is a probability measure, that is, a\f(obi,h) + ••• + 
a kf(°bk,h) = 1. In fact, when combined with the constraint that f(ob, •) is a probability 
measure for a fixed ob, this condition turns out to be sufficient, as the following theorem 
establishes. 

Theorem 2.4: Let TL = {hi, . . . , h m } and O = {obi, ■ ■ ■ , ob n }, and let f be a real-valued 
function with domain O xTL such that f(ob, h) <G [0, 1]. Then there exists an evidence space 
£ = (TL, O, fi) such that f = wg if and only if f satisfies the following properties: 

WF1. For every ob £ O, f(ob, •) is a probability measure on TL. 

WF2. There exists x±, . . . , x n > such that, for all h G TL, J27=i f{°^ii ^) x % = 1- 

This characterization is fundamental to the completeness of the axiomatization of the 
logic we introduce in the next section. The characterization is complicated by the fact 
that the weight of evidence is essentially a normalized likelihood: the likelihood of an 
observation given a particular hypothesis is normalized using the sum of all the likelihoods 
of that observation, for all possible hypotheses. One consequence of this, as we already 
mentioned above, is that the weight of evidence is always between and 1, and superficially 
behaves like a probability measure. In Section 6, we examine the issue of normalization 
more carefully, and describe the changes to our framework that would occur were we to 
take unnormalized likelihoods as weight of evidence. 

Let £ = (TL, O, fi) be an evidence space. Let O* be the set of sequences of observations 
(ob 1 , . . . , ob k ) over C 4 Assume that the observations are independent, that is, for each basic 
hypothesis h, take ^((ob 1 , . . . , ob k )), the probability of observing a particular sequence of 
observations given h, to be / u/ l (o6 1 ) • • • Hh(ob k ), the product of the probability of making 
each observation in the sequence. Let £* = (TL,0* , /**). With this assumption, it is well 
known that Dempster's Rule of Combination can be used to combine evidence in this setting; 
that is, 

we'dob 1 , ob k ), •) = w £ (ob l , •) • • • © w £ (ob k , •) 

(Halpern & Fagin, 1992, Theorem 4.3). It is an easy exercise to check that the weight 
provided by the sequence of observations (ob 1 , . . . , ob k ) can be expressed in terms of the 
weight of the individual observations: 

a Li vk\ m w £ *(ob 1 ,h)---W£*(ob k ,h) 

w £ *((ob ,...,ob ),h) = — (3) 

z2h'eH w £*( ob ,h')---w £ *(ob ,h') 



4. We use superscript rather than subscripts to index observations in a sequence so that these observations 
will not be confused with the basic observations obi, • • • , ob n in O. 
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If we let no be a prior probability on the hypotheses, and ^(ob 1 ob k ) De ^ ne probability on 
the hypotheses after observing ob 1 , . . . , ob k , we can verify that 

V(ob\...,ob k ) = W® w £ *((ob\ ob k ), •)• 

Example 2.5: Consider a variant of Example 2.3, where we take the coin tosses as in- 
dividual observations, rather than the number of heads that turn up in one hundred coin 
tosses. As before, assume that the coin chosen by Alice is either double-headed or fair. Let 
O = {H,T}, the result of an individual coin toss, where H is "the coin landed heads" and 
T is "the coin landed tails". Let TL = {F,D}, where F is "the coin is fair", and D is "the 
coin is double-headed". Let £* = (7i, O* , //*). The probability measure fi* h associated with 
the hypothesis h are generated by the following probabilities for simple observations: 

MH) = \ Hd{H) = 1. 

Thus, for example, n* F ((H, H, T, H)) = 1/16, n* D ((H,H,H)) = 1, and /j,* H ((H, H,T,H)) = 
0. 

We can now easily verify results similar to those that were obtained in Example 2.3. 
For instance, the weight of observing T in favor of F is given by 

which again indicates that observing T provides unconditional support to F; a double- 
headed coin cannot land tails. 

How about sequences of observations? The weight provided by the sequence {ob 1 , . . . , ob k ) 
for hypothesis h is given by Equation (3). Thus, if II = (H, . . . , H), a sequence of a hundred 
coin tosses, we can check that 

i i 1 9100 

we- (H, F) = = ——^r w £ * (H, D) 



Unsurprisingly, this is the same result as in Example 2.3. □ 



3. Reasoning about Evidence 

We introduce a logic u°~ ev for reasoning about evidence, inspired by a logic introduced in 
FHM for reasoning about probability. The logic lets us reason about the weight of evidence 
of observations for hypotheses; moreover, to be able to talk about the relationship between 
prior probabilities, evidence, and posterior probabilities, we provide operators to reason 
about the prior and posterior probabilities of hypotheses. We remark that up to now we 
have been somewhat agnostic about whether the priors exist but are not given (or not 
known) or whether the prior does not exist at all. It is beyond the scope of this paper to 
enter the debate about whether it always appropriate to assume the existence of a prior. 
Although the definition of evidence makes sense even if the priors does not exist, our logic 
implicitly assumes that there are priors (although they may not be known), since we provide 
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operators for reasoning about the prior. We make use of these operators in some of the 
examples below. However, the fragment of the logic that does not use these operators is 
appropriate for prior-free reasoning. 

The logic has both propositional features and first-order features. We take the proba- 
bility of propositions and the weight of evidence of observations for hypotheses, and view 
probability and evidence as propositions, but we allow first-order quantification over nu- 
merical quantities, such as probabilities and evidence. The logic essentially considers two 
time periods, which can be thought of as the time before an observation is made and the 
time after an observation is made. In this section, we assume that exactly one observation 
is made. (We consider sequences of observations in Section 7.) Thus, we can talk of the 
probability of a formula ip before an observation is made, denoted Pr° ((f), the probability 
of if after the observation, denoted Pr (ip), and the evidence provided by the observation ob 
for an hypothesis h, denoted w(ob,h). Of course, we want to be able to use the logic to 
relate all these quantities. 

Formally, we start with two finite sets of primitive propositions, <E>h = {h±, . . . ,h nh } 
representing the hypotheses, and $ Q = {ob\, . . . , ob no } representing the observations. Let 
£h(^h) be the propositional sublanguage of hypothesis formulas obtained by taking primi- 
tive propositions in <I>h and closing off under negation and conjunction; we use p to range 
over formulas of that sublanguage. 

A basic term has the form Pr°(p), Pr(p), or w(ob, h), where p is an hypothesis formula, 
ob is an observation, and h is an hypothesis. As we said, we interpret Pr°(p) as the 
prior probability of p, Pr(/o) as the posterior probability of p, and w(ob, h) as the weight of 
evidence of observation ob for hypothesis h. It may seem strange that we allow the language 
to talk about the prior probability of hypotheses, although we have said that we do not 
want to assume that the prior is known. We could, of course, simplify the syntax so that 
it did not include formulas of the form Pr°( / o) or ~Pr(p). The advantage of having them is 
that, even if the prior is not known, given our view of evidence as a function from priors 
to posteriors, we can make statements such as "if the prior probability of h is 2/3, ob is 
observed, and the weight of evidence of ob for h is 3/4, then the posterior probability of h 
is 6/7; this is just 

Pr°(/i) = 1/2 A ob A w{ob, h) = 3/4 Pr(/i) = 6/7. 

A polynomial term has the form t\ + ■ ■ ■ + t n , where each term ti is a product of integers, 
basic terms, and variables (which range over the reals). A polynomial inequality formula 
has the form p > c, where p is a polynomial term and c is an integer. Let £f°~ ev (&h, $ Q ) 
be the language obtained by starting out with the primitive propositions in &h and <I> 
and polynomial inequality formulas, and closing off under conjunction, negation, and first- 
order quantification. Let true be an abbreviation for an arbitrary propositional tautology 
involving only hypotheses, such as h± V ->hi; let false be an abbreviation for -^true. With 
this definition, true and false can be considered as part of the sublanguage /^(^h)- 

It should be clear that while we allow only integer coefficients to appear in polynomial 
terms, we can in fact express polynomial terms with rational coefficients by crossmultiplying. 
For instance, ^Pr(p) + ^Pr(p') > 1 can be represented by the polynomial inequality formula 
2Pr(p) +3Pr(//) > 6. While there is no difficulty in giving a semantics to polynomial terms 
that use arbitrary real coefficients, we need the restriction to integers in order to make use 
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of results from the theory of real closed fields in both the axiomatization of Section 4 and 
the complexity results of Section 5. 

We use obvious abbreviations where needed, such as cp V ip for A ->tp), (f =>■ tp for 

-199 V ip, 3xcp for -iVx(-K^), P*(<p) — Pr(ip) > c for Pr(</?) + ( — l)Pr(^) > c, Pr(i^) > Pr(^) for 
p r ( (/9 ) _ p r (^) > 0, Pr(ip) < c for -Pi(ip) > -c, Pr(<p) < c for -i(Pr(y>) > c), and Pr(<p) = c 
for (Pr(^j) > c) A (Pr(<p) < c) (and analogous abbreviations for inequalities involving Pr° 
and w). 

Example 3.1: Consider again the situation given in Example 2.3. Let $ Q , the observations, 
consist of primitive propositions of the form headsfm], where m is an integer with < m < 
100, indicating that m heads out of 100 tosses have appeared. Let $h consist of the two 
primitive propositions fair and doubleheaded. The computations in Example 2.3 can be 
written as follows: 

w(heads[100], fair) = 1/(1 + 2 100 ) A w(heads[100], doubleheaded) = 2 100 /(1 + 2 100 ). 

We can also capture the fact that the weight of evidence of an observation maps a prior 
probability into a posterior probability by Dempster's Rule of Combination. For example, 
the following formula captures the update of the prior probability a of the hypothesis fair 
upon observation of a hundred coin tosses landing heads: 

Pr°(fair) = a A w(heads[100], fair) = 1/(1 + 2 100 ) Pr(fair) = a/(a + (1 - q)2 100 ). 

We develop a deductive system to derive such conclusions in the next section. □ 

Now we consider the semantics. A formula is interpreted in a world that specifies which 
hypothesis is true and which observation was made, as well as an evidence space to interpret 
the weight of evidence of observations and a probability distribution on the hypotheses to 
interpret prior probabilities and talk about updating based on evidence. (We do not need 
to include a posterior probability distribution, since it can be computed from the prior and 
the weights of evidence using Equation (2).) An evidential world is a tuple w = (h, ob, fx, £), 
where h is a hypothesis, ob is an observation, fx is a probability distribution on <j?h> and £ 
is an evidence space over $h an d $ - 

To interpret propositional formulas in Ch(^h), we associate with each hypothesis formula 
p a set Ip] of hypotheses, by induction on the structure of p: 

[hj = {h} 

hp] = $ h -M 

[piApal = [pi]n[/9 2 ]. 

To interpret first-order formulas that may contain variables, we need a valuation v that 
assigns a real number to every variable. Given an evidential world w = (h, ob,p,£) and a 
valuation v, we assign to a polynomial termp a real number \p] w ' v in a straightforward way: 

v(x) 
a 

MM) 



X 



[Pr°(p)] w > v 
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[Pr( P )r^ = ( M e^( 6,-))(M) 

[w(ob',ti)] w ' v = W£ (ob',ti) 

[ht 2 ] w ' v = [hr v x [t 2 ] w ' v 

[P1+P2] W ' V = [P1] W ' V +[P2] W ' V - 

Note that, to interpret Pr(p), the posterior probability of p after having observed ob (the 
observation at world w), we use Equation (2), which says that the posterior is obtained by 
combining the prior probability \x with ws(ob, •). 

We define what it means for a formula tp to be true (or satisfied) at an evidential world 
w under valuation v, written (w, v) \= ip, as follows: 

(w, v) \= h if w = (h, ob, p, £) for some ob, /i, £ 

(w, v) \= ob if w = (h, ob, p, £) for some h, fi, £ 

(w, v) \= -199 if (w, v) Y= ip 

(w, v) \= ip A ip if (w, v) \= ip and (w , v) \= ip 

(w,v)\=p>c if \p] w > v > c 

(w,v) \= Vx(p if (w, v 1 ) \= ip for all v' that agree with v on all variables but x. 

If (111, v) (= ip is true for all v, we write simply w \= <p. It is easy to check that if (p 
is a closed formula (that is, one with no free variables), then (w,v) \= <p if and only if 
(w,v r ) |= ip, for all v,v f . Therefore, given a closed formula ip, if (M, w,v) \= ip, then in fact 
w \= ip. We will typically be concerned only with closed formulas. Finally, if w \= ip for 
all evidential worlds w, we write \= ip and say that ip is valid. In the next section, we will 
characterize axiomatically all the valid formulas of the logic. 

Example 3.2: The following formula is valid, that is, true in all evidential worlds: 

|= (w(ob, = 2/3 A w(ob, h 2 ) = 1/3) ^ (Pr°(/ii) > 1/100 A ob) Pr(hi) > 2/101. 

In other words, at all evidential worlds where the weight of evidence of observation ob for 
hypothesis h\ is 2/3 and the weight of evidence of observation ob for hypothesis /12 is 1/3, 
it must be the case that if the prior probability of hi is at least 1/100 and ob is actually 
observed, then the posterior probability of hi is at least 2/101. This shows the extent to 
which we can reason about the evidence independently of the prior probabilities. □ 

The logic imposes no restriction on the prior probabilities to be used in the models. 
This implies, for instance, that the formula 

fair Pr°(fair) = 

is satisfiable: there exists an evidential world w such that the formula is true at w. In other 
words, it is consistent for an hypothesis to be true, despite the prior probability of it being 
true being 0. It is a simple matter to impose a restriction on the models that they be such 
that if h is true at a world, then fj,(h) > for the prior p at that world. 
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We conclude this section with some remarks concerning the semantic model. Our se- 
mantic model implicitly assumes that the prior probability is known and that the likelihood 
functions (i.e., the measures /j,h) are known. Of course, in many situations there will be 
uncertainty about both. Indeed, our motivation for focusing on evidence is precisely to deal 
with situations where the prior is not known. Handling uncertainty about the prior is easy 
in our framework, since our notion of evidence is independent of the prior on hypotheses. It 
is straightforward to extend our model by allowing a set of possible worlds, with a different 
prior in each, but using the same evidence space for all of them. We can then extend the 
logic with a knowledge operator, where a statement is known to be true if it is true in all 
the worlds. This allows us to make statements like "I know that the prior on hypothesis 
h is between a and (3. Since observation ob provides evidence 3/4 for h, I know that the 
posterior on h given ob is between (3a) /(2a + 1) and (30)/ (2(3 + 1)." 

Dealing with uncertainty about the likelihood functions is somewhat more subtle. To 
understand the issue, suppose that one of two coins will be chosen and tossed. The bias of 
coin 1 (i.e., the probability that coin 1 lands heads) is between 2/3 and 3/4; the bias of coin 
2 is between 1/4 and 1/3. Here there is uncertainty about the probability that coin 1 will 
be picked (this is uncertainty about the prior) and there is uncertainty about the bias of 
each coin (this is uncertainty about the likelihood functions). The problem here is that, to 
deal with this, we must consider possible worlds where there is a possibly different evidence 
space in each world. It is then not obvious how to define weight of evidence. We explore 
this issue in more detail in a companion paper (Halpern & Pucella, 2005a). 

4. Axiomatizing Evidence 

In this section we present a sound and complete axiomatization AX($[,, <£ ) for our logic. 

The axiomatization can be divided into four parts. The first part, consisting of the 
following axiom and inference rule, accounts for first-order reasoning: 

Taut. All substitution instances of valid formulas of first-order logic with equality. 

MP. From (p and p =4> ip infer ip. 

Instances of Taut include, for example, all formulas of the form p V -up, where (p is an 
arbitrary formula of the logic. It also includes formulas such as (\/xp) 44> (p if x is not free 
in p. In particular, (\/x(h)) ^ h for hypotheses in <I>h, and similarly for observations in 
<5 . Note that Taut includes all substitution instances of valid formulas of first-order logic 
with equality; in other words, any valid formula of first-order logic with equality where 
free variables are replaced with arbitrary terms of our language (including Pr°(p), Pr(p), 
w(ob,h)) is an instance of Taut. Axiom Taut can be replaced by a sound and complete 
axiomatization for first-order logic with equality, as given, for instance, in Shoenfield (1967) 
or Enderton (1972). 

The second set of axioms accounts for reasoning about polynomial inequalities, by relying 
on the theory of real closed fields: 

RCF. All instances of formulas valid in real closed fields (and, thus, true about the reals), 
with nonlogical symbols +, •, <, 0, 1, —1, 2, —2, 3, —3, .... 
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Formulas that are valid in real closed fields include, for example, the fact that addition on the 
reals is associative, \/x\/y\/z{{x+y)+z = x+{y+z)), that 1 is the identity for multiplication, 
Vx(xT = x), and formulas relating the constant symbols, such as k = 1+- • -+1 (k times) and 
—1 + 1 = 0. As for Taut, we could replace RCF by a sound and complete axiomatization 
for real closed fields (cf. Fagin et al., 1990; Shoenfield, 1967; Tarski, 1951). 

The third set of axioms essentially captures the fact that there is a single hypothesis 
and a single observation that holds per state. 

HI. /iiV-V^, 

H2. hi => ->hj if i ^ j. 

01. obi V ■ ■ ■ V ob no . 

02. obi => "'obj if i / j- 

These axioms illustrate a subtlety of our logic. Like most propositional logics, ours is 
parameterized by primitive propositions, in our case, $h an d ^o- However, while axiom- 
atizations for propositional logics typically do not depend on the exact set of primitive 
propositions, ours does. Clearly, axiom HI is sound only if the hypothesis primitives are 
exactly h±, . . . , h nh . Similarly, axiom Ol is sound only if the observation primitives are 
exactly obi, ■ ■ ■ , ob Ho . It is therefore important for us to identify the primitive propositions 
when talking about the axiomatization AX(<E>h, 3>o)- 

The last set of axioms concerns reasoning about probabilities and evidence proper. The 
axioms for probability are taken from FHM. 

Prl. Pi (true) = 1. 

Pr2. Pr°(p) > 0. 

Pr3. Pr°(pi A p 2 ) + Pr°(pi A -p 2 ) = Pr°(pi). 

Pr4. Pr°(pi) = Pr°(p2) if Pi P2 is a propositional tautology. 

Axiom Prl simply says that the event true has probability 1. Axiom Pr2 says that prob- 
ability is nonnegative. Axiom Pr3 captures finite additivity. It is not possible to express 
countable additivity in our logic. On the other hand, just as in FHM, we do not need an 
axiom for countable additivity. Roughly speaking, as we establish in the next section, if 
a formula is satisfiable at all, it is satisfiable in a finite structure. Similar axioms capture 
posterior probability formulas: 

Pol. Pr(true) = 1. 

Po2. Pr(p) > 0. 

Po3. Pr(pi A p 2 ) + Pr(pi A -p 2 ) = Pr(pi). 

Po4. Pr(pi) = Pr(p 2 ) if Pi P2 is a propositional tautology. 
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Finally, we need axioms to account for the behavior of the evidence operator w. What 
are these properties? For one thing, the weight function acts essentially like a probability 
on hypotheses, for each fixed observation, except that we are restricted to taking the weight 
of evidence of basic hypotheses only. This gives the following axioms: 

El. w(ob,h) > 0. 

E2. w(ob, hi) + --- + w(ob, h nh ) = 1. 

Second, evidence connects the prior and posterior beliefs via Dempster's Rule of Com- 
bination, as in (2). This is captured by the following axiom. (Note that, since we do not 
have division in the language, we crossmultiply to clear the denominator.) 

E3. ob (Pr°(/i)w(o6, ti) = Pr(/i)Pr°(/i 1 )w(o6, h x ) + • ■ ■ + Pr(/i)Pr°(/i n Jw(o6, h r J). 

This is not quite enough. As we saw in Section 2, property WF2 in Theorem 2.4 is 
required for a function to be an evidence function. The following axiom captures WF2 in 
our logic: 

E4. 3xi .. . 3x no (xi > A • • • A x Ho > A w(obi, hi)xi H h w(o6 no , hi)x Uo = 1A 

• • • A w(o6i, h nh )xi H h w(o6 no , K h )x no = 1). 

Note that axiom E4 is the only axiom that requires quantification. Moreover, axioms E3 
and E4 both depend on <&h and <£ . 

As an example, we show that if h and ti are distinct hypotheses in 3>h; then the formula 

-h(w(o&, ti) = 2/3 A w(ob, ti) = 2/3) 

is provable. First, by RCF, the following valid formula of the theory of real closed fields is 
provable: 

VxVy(x = 2/3 A y = 2/3 => x + y > 1). 
Moreover, if (f(x, y) is any first-order logic formula with two free variables x and y, then 

(VxVy(v?(x,y))) ip(w(ob,h),w(ob,ti)) 

is a substitution instance of a valid formula of first-order logic with equality, and hence is 
an instance of Taut. Thus, by MP, we can prove that 

w(ob, h) = 2/3 A w(ob, ti) = 2/3 ^> w(ob, h) + w(ob, ti) > 1, 

which is provably equivalent (by Taut and MP) to its contrapositive 

w{ob, h) + w(ob, ti)<\^ ^(w(ob, h) = 2/3 A w(ob, ti) = 2/3). 

By an argument similar to that above, using RCF, Taut, MP, El, and E2, we can derive 

w(ob,h) +w(ob,ti) < 1, 

and by MP, we obtain the desired conclusion: ->(w(o&, h) = 2/3 A w(ob, ti) = 2/3). 
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Theorem 4.1: iX($h, $o) is a sound and complete axiomatization for £f°~ ev (<&h, 3> ) with 
respect to evidential worlds. 

As usual, soundness is straightforward, and to prove completeness, it suffices to show 
that if a formula 92 is consistent with AXf^,^), it is satisfiable in an evidential struc- 
ture. However, the usual approach for proving completeness in modal logic, which involves 
considering maximal consistent sets and canonical structures does not work. The problem 
is that there are maximal consistent sets of formulas that are not satisfiable. For example, 
there is a maximal consistent set of formulas that includes Pr(/o) > and Pr(p) < 1/n for 
n = 1, 2, . . . . This is clearly unsatisfiable. Our proof follows the techniques developed in 
FHM. 

To express axiom E4, we needed to have quantification in the logic. This is where the 
fact that our representation of evidence is normalized has a nontrivial effect on the logic: E4 
corresponds to property WF2, which essentially says that a function is a weight of evidence 
function if one can find such a normalization factor. An interesting question is whether it 
is possible to find a sound and complete axiomatization for the propositional fragment of 
our logic (without quantification or variables). To do this, we need to give quantifier-free 
axioms to replace axiom E4. This amounts to asking whether there is a simpler property 
than WF2 in Theorem 2.4 that characterizes weight of evidence functions. This remains 
an open question. 

5. Decision Procedures 

In this section, we consider the decision problem for our logic, that is, the problem of 
deciding whether a given formula (p is satisfiable. In order to state the problem precisely, 
however, we need to deal carefully with the fact that the logic is parameterized by the sets 
<I>h and <I> of primitive propositions representing hypotheses and observations. In most 
logics, the choice of underlying primitive propositions is essentially irrelevant. For example, 
if a propositional formula ip that contains only primitive propositions in some set <& is 
true with respect to all truth assignments to $, then it remains true with respect to all 
truth assignments to any set <£' D This monotonicity property does not hold here. For 
example, as we have already observed, axiom HI clearly depends on the set of hypotheses 
and observations; it is no longer valid if the set is changed. The same is true for Ol, E3, 
and E4. 

This means that we have to be careful, when stating decision problems, about the role 
of <I>h an d 'I'o in the algorithm. A straightforward way to deal with this is to assume that 
the satisfiability algorithm gets as input <I>h) an d a formula 92 £ U°~ ev {$h, <5 )- Because 
£/°" e?, (<I> h , <£ ) contains the full theory of real closed fields, it is unsurprisingly difficult to 
decide. For our decision procedure, we can use the exponential-space algorithm of Ben-Or, 
Kozen, and Reif (1986) to decide the satisfiability of real closed field formulas. We define 
the length \ip\ of 92 to be the number of symbols required to write (p, where we count the 
length of each coefficient as 1. Similarly, we define \\<p\\ to be the length of the longest 
coefficient appearing in /, when written in binary. 

Theorem 5.1: There is a procedure that runs in space exponential in \(p\ \\(p\\ for deciding, 
given $h and <& , whether a formula 9? of CJ°~ ei '(<E> h , $ ) is satisfiable in an evidential world. 
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This is essentially the best we can do, since Ben-Or, Kozen, and Reif (1986) prove that 
the decision problem for real closed fields is complete for exponential space, and our logic 
contains the full language of real closed fields. 

While we assumed that the algorithm takes as input the set of primitive propositions 
<!>h and <E> , this does not really affect the complexity of the algorithm. More precisely, if 
we are given a formula ip in cJ°' ev over some set of hypotheses and observations, we can 
still decide whether <p is satisfiable, that is, whether there are sets <I>h and 3> of primitive 
propositions containing all the primitive propositions in (p and an evidential world w that 
satisfies tp. 

Theorem 5.2: There is a procedure that runs in space exponential in \ip\ \\<p\\ for deciding 
whether there exists sets of primitive propositions $h and $ such that ip € £f ~ ev ($h,$ o ) 
and ip is satisfiable in an evidential world. 

The main culprit for the exponential-space complexity is the theory of real closed fields, 
which we had to add to the logic to be able to even write down axiom E4 of the axioma- 
tization AX^i,,^). 5 However, if we are not interested in axiomatizations, but simply in 
verifying properties of probabilities and weights of evidence, we can consider the following 
propositional (quantifier-free) fragment of our logic. As before, we start with sets <3?h and 
$0 °f hypothesis and observation primitives, and form the sublanguage £^ of hypothesis 
formulas. Basic terms have the form Pr°(p), Pr(p), and w(ob,h), where p is an hypothesis 
formula, ob is an observation, and h is an hypothesis. A quantifier-free polynomial term 
has the form a\t\ + • • • + a n t n , where each a, is an integer and each ti is a product of 
basic terms. A quantifier- free polynomial inequality formula has the form p > c, where 
p is a quantifier-free polynomial term, and c is an integer. For instance, a quantifier-free 
polynomial inequality formula takes the form Pr°(p) + 3w(o6, h) + 5Pr°(/9)Pr(//) > 7. 

Let £ ev (&h, 3>o) be the language obtained by starting out with the primitive propositions 
in <I>h and <I> and quantifier-free polynomial inequality formulas, and closing off under con- 
junction and negation. Since quantifier-free polynomial inequality formulas are polynomial 
inequality formulas, £ ev ($ h , 3> ) is a sublanguage of £f°~ ev ($ h ,$ ). The logic £ ev ($ h , $ Q ) 
is sufficiently expressive to express many properties of interest; for instance, it can certainly 
express the general connection between priors, posteriors, and evidence captured by axiom 
E3, as well as specific relationships between prior probability and posterior probability 
through the weight of evidence of a particular observation, as in Example 3.1. Reasoning 
about the propositional fragment of our logic £ ev (&h, <£ ) is easier than the full language. 6 

5. Recall that axiom E4 requires existential quantification. Thus, we can restrict to the sublanguage 
consisting of formulas with a single block of existential quantifiers in prefix position. The satisfiability 
problem for this sublanguage can be shown to be decidable in time exponential in the size of the formula 
(Renegar, 1992). 

6. In a preliminary version of this paper (Halpern & Pucella, 2003), we examined the quantifier-free fragment 
of £ /0 " et, ($ h ,$ ) that uses only linear inequality formulas, of the form a\t\ + ■ ■ ■ + a„t„ > c, where each 
ti is a basic term. We claimed that the problem of deciding, given $h and <& , whether a formula tp of 
this fragment is satisfiable in an evidential world is NP-complete. We further claimed that this result 
followed from a small-model theorem: if tp is satisfiable, then it is satisfiable in an evidential world over 
a small number of hypotheses and observations. While this small-model theorem is true, our argument 
that the satisfiability problem is in NP also implicitly assumed that the numbers associated with the 
probability measure and the evidence space in the evidential world were small. But this is not true 
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Theorem 5.3: There is a procedure that runs in space polynomial in \ip\ \\ip\\ for deciding, 
given $h and & Q , whether a formula ip of £ ev (&b,$> ) is satisfiable in an evidential world. 

Theorem 5.3 relies on Canny's (1988) procedure for deciding the validity of quantifier- 
free formulas in the theory of real closed fields. As in the general case, the complexity is 
unaffected by whether or not the decision problem takes as input the sets <3?h and <J> of 
primitive propositions. 

Theorem 5.4: There is a procedure that runs in space polynomial in \ip\ \\ip\\ for deciding 
whether there exists sets of primitive propositions <&h and <3? such that ip € £ ev ($>k, <£ ) and 
ip is satisfiable in an evidential world. 

6. Normalized Versus Unnormalized Likelihoods 

The weight of evidence we used throughout this paper is a generalization of the log-likelihood 
ratio advocated by Good (1950, 1960). As we pointed out earlier, this measure of confirma- 
tion is essentially a normalized likelihood: the likelihood of an observation given a particular 
hypothesis is normalized by the sum of all the likelihoods of that observation, for all possi- 
ble hypotheses. What would change if we were to take the (unnormalized) likelihoods \ih 
themselves as weight of evidence? Some things would simplify. For example, WF2 is a 
consequence of normalization, as is the corresponding axiom E4, which is the only axiom 
that requires quantification. 

The main argument for normalizing likelihood is the same as that for normalizing prob- 
ability measures. Just like probability, when using normalized likelihood, the weight of 
evidence is always between and 1, and provides an absolute scale against which to judge 
all reports of evidence. The impact here is psychological — it permits one to use the same 
rules of thumb in all situations, since the numbers obtained are independent from the con- 
text of their use. Thus, for instance, a weight of evidence of 0.95 in one situation corresponds 
to the "same amount" of evidence as a weight of evidence of 0.95 in a different situation; 
any acceptable decision based on this weight of evidence in the first situation ought to be 
acceptable in the other situation as well. The importance of having such a uniform scale 
depends, of course, on the intended applications. 

For the sake of completeness, we now describe the changes to our framework required 
to use unnormalized likelihoods as a weight of evidence. Define w^(ob, h) = fih(ob). 

in general. Even though the formula ip involves only linear inequality formulas, every evidential world 
satisfies axiom E3. This constraint enables us to write formulas for which there exist no models where 
the probabilities and weights of evidence are rational. For example, consider the formula 

Pr°(/u) = w(o6i,fti) A Pr°(h 2 ) = 1 - Pr°(/u) A Pr(/n) = 1/2 A w(o6i,ft 2 ) = 1/4 

Any evidential world satisfying the formula must satisfy 

Pr°Oi) = w(ob u hi) = -1/8(1 - \/T7) 

which is irrational. The exact complexity of this fragment remains open. We can use our techniques to 
show that it is in PSPACE, but we have no matching lower bound. (In particular, it may indeed be in 
NP.) We re-examine this fragment of the logic in Section 6, under a different interpretation of weights 
of evidence. 
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First, note that we can update a prior probability po via a set of likelihood functions \ih 
using a form of Dempster's Rule of Combination. More precisely, we can define fio(Bw'g(ob, •) 
to be the probability measure defined by 

(fj,o®w e (ob,-))(h) - 



The logic we introduced in Section 3 applies just as well to this new interpretation of 
weights of evidence. The syntax remains unchanged, the models remain evidential worlds, 
and the semantics of formulas simply take the new interpretation of weight of evidence 
into account. In particular, the assignment \p] w,v now uses the above definition of w^, and 
becomes 

pr(p)r>" = (ji®w%{ob,-))(\p}) 
[w(ob',ti)] w ' v = w u £ (ob',ti). 

The axiomatization of this new logic is slightly different and somewhat simpler than the 
one in Section 3. In particular, El and E2, which say that w(ob,h) acts as a probability 
measure for each fixed ob, are replaced by axioms that say that w(ob, h) acts as a probability 
measure for each fixed h: 

El'. w(ob,h) > 0. 

h) = 1. 

Axiom E3 is unchanged, since is updated in essentially the same way as W£. Axiom E4 
becomes unnecessary. 

What about the complexity of the decision procedure? As in Section 5, the complexity 
of the decision problem for the full logic £f°~ ev ($h, <I> ) remains dominated by the complex- 
ity of reasoning in real closed fields. Of course, now, we can express the full axiomatization 
for the unnormalized likelihood interpretation of weight of evidence in the £ ev (&h, $ Q ) frag- 
ment, which can be decided in polynomial space. A further advantage of the unnormalized 
likelihood interpretation of weight of evidence, however, is that it leads to a useful fragment 
of £ ev (&h, &o) that is perhaps easier to decide. 

Suppose that we are interested in reasoning exclusively about weights of evidence, with 
no prior or posterior probability. This is the kind of reasoning that actually underlies 
many computer science applications involving randomized algorithms (Halpern & Pucella, 
2005b). As before, we start with sets $h and $ Q of hypothesis and observation primitives, 
and form the sublanguage of hypothesis formulas. A quantifier-free linear term has 
the form aiw(o6 1 ,/i 1 ) + • • • + a n w(ob n ,h n ), where each a« is an integer, each ob 1 is an 
observation, and each h l is an hypothesis. A quantifier-free linear inequality formula has 
the form p > c, where p is a quantifier-free linear term and c is an integer. For example, 
w(ob' , h) + 3w(ob, h) > 7 is a quantifier-free linear inequality formula. 

Let £ w (<3?h, ^o) be the language obtained by starting out with the primitive propositions 
in $h and <I> and quantifier-free linear inequality formulas, and closing off under conjunction 
and negation. Since quantifier-free linear inequality formulas are polynomial inequality 
formulas, C w ($h, § ) is a sublanguage of C^°' ev (^h, ^o)- Reasoning about C w ($h, ^o) is 
easier than the full language, and possibly easier than the £ ev (&h, $ Q ) fragment. 
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Theorem 6.1: The problem of deciding, given $h cmd $ 0) whether a formula ip of C w (^h, <£ ) 
is satisfiable in an evidential world is NP-complete. 

As in the general case, the complexity is unaffected by whether or not the decision 
problem takes as input the sets <3>h and <& of primitive propositions. 

Theorem 6.2: The problem of deciding, for a formula ip, whether there exists sets of 
primitive propositions $h a nd <E> such that ip £ £ w ($h,$ ) and ip is satisfiable in an 
evidential world is NP-complete. 

7. Evidence in Dynamic Systems 

The evidential worlds we have considered until now are essentially static, in that they model 
only the situation where a single observation is made. Considering such static worlds lets 
us focus on the relationship between the prior and posterior probabilities on hypotheses 
and the weight of evidence of a single observation. In a related paper (Halpern & Pucella, 
2005b), we consider evidence in the context of randomized algorithms; we use evidence to 
characterize the information provided by, for example, a randomized algorithm for primality 
when it says that a number is prime. The framework in that work is dynamic; sequences of 
observations are made over time. In this section, we extend our logic to reason about the 
evidence of sequences of observations, using the approach to combining evidence described 
in Section 2. 

There are subtleties involved in trying to find an appropriate logic for reasoning about 
situations like that in Example 2.5. The most important one is the relationship between 
observations and time. By way of illustration, consider the following example. Bob is 
expecting an email from Alice stating where a rendezvous is to take place. Calm under 
pressure, Bob is reading while he waits. We assume that Bob is not concerned with the 
time. For the purposes of this example, one of three things can occur at any given point in 
time: 

(1) Bob does not check if he has received email; 

(2) Bob checks if he has received email, and notices he has not received an email from 
Alice; 

(3) Bob checks if he has received email, and notices he has received an email from Alice. 

How is his view of the world affected by these events? In (1), it should be clear that, 
all things being equal, Bob's view of the world does not change: no observation is made. 
Contrast this with (2) and (3). In (2), Bob does make an observation, namely that he has 
not yet received Alice's email. The fact that he checks indicates that he wants to observe a 
result. In (3), he also makes an observation, namely that he received an email from Alice. 
In both of these cases, the check yields an observation, that he can use to update his view 
of the world. In case (2), he essentially observed that nothing happened, but we emphasize 
again that this is an observation, to be distinguished from the case where Bob does not 
even check whether email has arrived, and should be explicit in the set O in the evidence 
space. 
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This discussion motivates the models that we use in this section. We characterize 
an agent's state by the observations that she has made, including possibly the "nothing 
happened" observation. Although we do not explicitly model time, it is easy to incorporate 
time in our framework, since the agent can observe times or clock ticks. The models in this 
section are admittedly simple, but they already highlight the issues involved in reasoning 
about evidence in dynamic systems. As long as agents do not forget observations, there is 
no loss of generality in associating an agent's state with a sequence of observations. We do, 
however, make the simplifying assumption that the same evidence space is used for all the 
observations in a sequence. In other words, we assume that the evidence space is fixed for 
the evolution of the system. In many situations of interest, the external world changes. The 
possible observations may depend on the state of the world, as may the likelihood functions. 
There are no intrinsic difficulties in extending the model to handle state changes, but the 
additional details would only obscure the presentation. 

In some ways, considering a dynamic setting simplifies things. Rather than talking 
about the prior and posterior probability using different operators, we need only a single 
probability operator that represents the probability of an hypothesis at the current time. 
To express the analogue of axiom E3 in this logic, we need to be able to talk about the 
probability at the next time step. This can be done by adding the "next-time" operator 
O to the logic, where Qip holds at the current time if ip holds at the next time step. 7 We 
further extend the logic to talk about the weight of evidence of a sequence of observations. 

We define the logic C/^ v as follows. As in Section 3, we start with a set of primitive 
propositions $h and $ 0) respectively representing the hypotheses and the observations. 
Again, let C^(^h) be the propositional sublanguage of hypotheses formulas obtained by 
taking primitive propositions in $h an d closing off under negation and conjunction; we use 
p to range over formulas of that sublanguage. 

A basic term now has the form Pr(p) or w(ob, h), where p is an hypothesis formula, 
ob = (ob 1 , . . . , ob k ) is a nonempty sequence of observations, and h is an hypothesis. If 
ob = (ob 1 ), we write w(o&i, h) rather than w((o6 1 }, h). As before, a polynomial term has 

the form t\ H \-t n , where each term t, L is a product of integers, basic terms, and variables 

(which intuitively range over the reals). A polynomial inequality formula has the form 
p > c, where p is a polynomial term and c is an integer. Let ^y^i^h, *^o) be the language 
obtained by starting out with the primitive propositions in 4>h and <I> and polynomial 
inequality formulas, and closing off under conjunction, negation, first-order quantification, 
and application of the O operator. We use the same abbreviations as in Section 3. 

The semantics of this logic now involves models that have dynamic behavior. Rather 
than just considering individual worlds, we now consider sequences of worlds, which we 
call runs, representing the evolution of the system over time. A model is now an infinite 
run, where a run describes a possible dynamic evolution of the system. As before, a run 
records the observations being made and the hypothesis that is true for the run, as well as 
a probability distribution describing the prior probability of the hypothesis at the initial 
state of the run, and an evidence space £* over $h and $* to interpret w. We define an 
evidential run r to be a map from the natural numbers (representing time) to histories of 

7. Following the discussion above, time steps are associated with new observations. Thus, Qip means that 
ip is true at the next time step, that is, after the next observation. This simplifies the presentation of 
the logic. 
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the system up to that time. A history at time m records the relevant information about the 
run — the hypothesis that is true, the prior probability on the hypotheses, and the evidence 
space £* — and the observations that have been made up to time m. Hence, a history has 
the form ((h, fi,£*), ob 1 , . . . , ob k ) . We assume that r(0) = ((h,fi,£*)) for some h, p., and 
£*, while r(m) = {(h,p,£*), ob 1 , . . . , ob m ) for m > 0. We define a point of the run to be a 
pair (r, m) consisting of a run r and time m. 

We associate with each propositional formula p in /^(^h) a set \p\ of hypotheses, just 
as we did in Section 3. 

In order to ascribe a semantics to first-order formulas that may contain variables, we 
need a valuation v that assigns a real number to every variable. Given a valuation v, an 
evidential run r, and a point (r, m), where r(m) = ((h,fi,£*), ob 1 , . . . , ob m ), we can assign 
to a polynomial term p a real number [p] r > m > 1 ' using essentially the same approach as in 
Section 3: 



[ X ]W = v ( x ) 

[a} r ' m ' v = a 
[p r (p)]w = ^® W£ *({ob\...,ob m ),' 

where r(m) = {{h, fi, £*),ob 1 ,..., ob m ) 
[w(gb,ti)] r ' m ' v = w £ *(gb,ti) 

where r(m) = ((/i, /i, f *), ofr 1 , . . . , ob m ) 

[ tlt2 ]W = [ tl ]W x [ t2 ]r,m,t, 

[pi+p 2 ] r ' m " t ' = bi] w + N w - 

We define what it means for a formula </? to be true (or satisfied) at a point (r, m) of 
an evidential run r under valuation v, written (r,m,v) \= if, using essentially the same 
approach as in Section 3: 

r, m, v) \= h if r(m) = ((/i, /U, 5*), . . .} 

r, m, v) \= ob if r(m) = ((h, fi, £*), . . . , ob) 

r,m,v) \= —«p if (r,m,v) y= (p 

r,m,v) \= if A ip if (r, m,v) \= ip and (r, m, v) \= ip 

r,m,v) \= p > c if [p] r '" 1 ' 1 ' > c 

r, m, u) |= 0<p if (r, m + 1, v) \= p 

r, m, v) \= Mxip if (r, m, v') \= p> for all valuations v' that agree with v on all variables 
but x. 

If (r, m, f ) |= ip is true for all v, we simply write (r, m) \= p>. If (r, m) \= (p for all points 
(r, to) of r, then we write r \= <p and say that is valid in r. Finally, if r \= (p for all 
evidential runs r, we write (= 93 and say that <p is valid. 

It is straightforward to axiomatize this new logic. The axiomatization shows that we 
can capture the combination of evidence directly in the logic, a pleasant property. Most of 
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the axioms from Section 3 carry over immediately. Let the axiomatization AX^fl^fo) 
consists of the following axioms and inference rules: first-order reasoning (Taut, MP), rea- 
soning about polynomial inequalities (RCF), reasoning about hypotheses and observations 
(HI, H2, 01,02), reasoning about probabilities (Pol-4 only, since we do not have Pr° in 
the language), and reasoning about weights of evidence (El, E2, E4), as well as new axioms 
we now present. 

Basically, the only axiom that needs replacing is E3, which links prior and posterior 
probabilities, since this now needs to be expressed using the O operator. Moreover, we 
need an axiom to relate the weight of evidence of a sequence of observation to the weight 
of evidence of the individual observations, as given by Equation (3). 

E5. ob => Vx(0(Pr(/i) = x) => 

Pr(/i)w(o6, h) = xPr(/ii)w(o&, h\) + • • • + xPr(h nh )w(ob, h nh )). 

E6. w(ob\ h)--- w(ob k , h) = w((ob\ ob k ), h)w(ob\ hi)--- w(ob k , h x ) + • ■ ■ + 

w((ob\ ob k ), h)w(ob\ h r J ■ ■ ■ w(ob k , h nh ). 

To get a complete axiomatization, we also need axioms and inference rules that capture 
the properties of the temporal operator O- 

ti. o a o(v VO => O- 

T2. O^-O- 
T3. From ip infer Q(p. 

Finally, we need axioms to say that the truth of hypotheses as well as the value of polynomial 
terms not containing occurrences of Pr is time-independent: 

T4. Op ^ P . 

T5. 0(p > c) 44> p > c if p does not contain an occurrence of Pr. 

T6. OQJxlp) 44> Vz(O). 

Theorem 7.1: AXdy n {^h,^ ) is a sound and complete axiomatization for C^ y ^ v (3>hi^o) 
with respect to evidential runs. 

8. Conclusion 

In the literature, reasoning about the effect of observations is typically done in a context 
where we have a prior probability on a set of hypotheses which we can condition on the 
observations made to obtain a new probability on the hypotheses that reflects the effect of 
the observations. In this paper, we have presented a logic of evidence that lets us reason 
about the weight of evidence of observations, independently of any prior probability on the 
hypotheses. The logic is expressive enough to capture in a logical form the relationship 
between a prior probability on hypotheses, the weight of evidence of observations, and the 
result posterior probability on hypotheses. But we can also capture reasoning that does not 
involve prior probabilities. 
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While the logic is essentially propositional, obtaining a sound and complete axiomati- 
zation seems to require quantification over the reals. This adds to the complexity of the 
logic — the decision problem for the full logic is in exponential space. However, an interest- 
ing and potentially useful fragment, the propositional fragment, is decidable in polynomial 
space. 
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Appendix A. Proofs 

Proposition 2.1: For all oh, we have we(ob,hi) > we(ob,hs-i) if and only ifl(ob,hi) > 
l{ob,h^i), fori = 1,2, and for all h, ob, and ob' , we have ws(ob,h) > w^^ob' ,h) if and 
only if l(ob, h) > l(ob', h). 

Proof. Let ob be an arbitrary observation. The result follows from the following argument: 

w £ (ob, hi) > w £ (ob, hz-i) 

iff n hi {ob)/(n hi (ob) + (ih^iob)) > Hh^ob) / \ix hi {ob) + /^(ofr)) 
iff n h .(ob)n hi (ob) > Hhs-iio^fih^iob) 
iff HhAo^/iihs-Aob) > ii h . A _Xob)/ix hi {ob) 
iff l(ob,hi) > l(ob,h^i). 

A similar argument establishes the result for hypotheses. □ 

Theorem 2.4: Let Ti = {hi, . . . , h m } and O = {obi, ■ ■ ■ , ob n }, and let f be a real-valued 
function with domain O x Ti such that f(ob, h) G [0, 1]. Then there exists an evidence space 
£ = (Ti, O, fih! , ■ ■ ■ , A*/i m ) such that f = wg if and only if f satisfies the following properties: 

WF1. For every ob £ O, f(ob, •) is a probability measure on Ti. 

WF2. There exists x±, . . . , x n > such that, for all h £ Ti, Y17=i /(°^i> h)xi = 1. 

Proof. (=>) Assume that / = W£ for some evidence space £ = (Ti, O, [ih x , ■ ■ ■ >/"fe m )- It is 
routine to verify WF1, that for a fixed ob <G O, wg(ob, •) is a probability measure on Ti. 
To verify WF2, note that we can simply take Xi = X^'eW ^h'iobi). 

(<S=) Let / be a function from O x Ti to [0, 1] that satisfies WF1 and WF2. Let 
x\, . . . ,x* be the positive reals guaranteed by WF2. It is straightforward to verify that 
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taking ph(obi) = f(obi,h)/x* for each h <G TC yields an evidence space £ such that / = 

W£. □ 

The following lemmas are useful to prove the completeness of the axiomatizations in 
this paper. These results depend on the soundness of the axiomatization AX($|,,$ ). 

Lemma A.l: AX(<&\,,& ) is a sound axiomatization for the logic £f°~ ev (<&h,& ) with re- 
spect to evidential worlds. 

Proof. It is easy to see that each axiom is valid in evidential worlds. □ 

Lemma A. 2: For all hypothesis formulas p, p <3> h\ V • • • V hk is provable in iJ($h, &o), 
when IpJ = {hi, h k }. 

Proof. Using Taut, we can show that p is provably equivalent to a formula p' in disjunctive 
normal form. Moreover, by axiom H2, we can assume without loss of generality that each 
of the disjuncts in p' consists of a single hypothesis. Thus, p is hi V • ■ • V h^. An easy 
induction on structure shows that for an hypothesis formula p and evidential world w, we 
have that w \= p iff w \= h for some h € [p]. Moreover, it follows immediately from the 
soundness of the axiomatization (Lemma A.l) that p 44> hi V . . . V h^ is provable iff for all 
evidential worlds w, w \= p iff w \= hi for some i G {1, . . . , k}. Thus, p 44> hi V . . . V hk is 
provable iff [p] = {hi, . . . , h^}. □ 

An easy consequence of Lemma A. 2 is that pi is provably equivalent to p2 if and only if 
[Pi] = [P2]. 

Lemma A. 3: Let p be an hypothesis formula. The formulas 
Pr(p) = Yl Pr (M and 

Pr°(p) = E Pr» 

he[pj 

are provable in AI($[,,$ ). 

Proof. Let <&h = {hi,...,h nh } and <5 = {obi, . . . , ob Uo }. We prove the result for Pr. 
We proceed by induction on the size of [pj. For the base case, assume that |[p]| = 0. 
By Lemma A. 2, this implies that p is provably equivalent to false. By Po4, Pr(p) = 
Pr(/a/se), and it is easy to check that Pr(false) = is provable using Pol, Po3, and Po4, 
thus Pr(p) = 0, as required. If |[p]| = n + 1 > 0, then \p\ = {h{ 1 , . . . , hi n+1 }, and by 
Lemma A. 2, p is provably equivalent to h^ V • • • V hi n+1 . By Po4, Pr(p) = Pr(p A hi n+1 ) + 
Pr(p A -i/ij n+1 ). It is easy to check that p A hi n+1 is provably equivalent to hi n+1 (using 
H2), and similarly p A ^hi n+1 is provably equivalent to V • • • V hi n . Thus, Pr(p) = 
Pr(/ij n+1 ) + Pr(/ijj V • • • V hi n ) is provable. Since \{hi 1 V • • • V hi n \\ = n, by the induction 
hypothesis, Pr^V- ■ -V/O = 52he{h h ,...,h in } Fl ( h ) = J2he( P }-{h tn+1 } Pr (M- Thus, Pr(p) = 
Pr (^„+i) + T.he\p\-{h %n+1 } Pr (M> that is > Pr (p) = T.he\p\ Pr (^)' as squired. 

The same argument applies mutatis mutandis for Pr°, using axioms Prl-4 instead of 
Pol-4. □ 
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Theorem 4.1: i!($h,^o) is a sound and complete axiomatization for the logic with re- 
spect to evidential worlds. 

Proof. Soundness was established in Lemma A.l. To prove completeness, recall the fol- 
lowing definitions. A formula <p is consistent with the axiom system AX($h,$ ) if ~"P is 
not provable from AX($i„f ). To prove completeness, it is sufficient to show that if ip is 
consistent, then it is satisfiable, that is, there exists an evidential world w and valuation v 
such that (w, v) \= ip. 

As in the body of the paper, let <&h = {^lj • • • > h Uh } and <E> = {061, . . . , ob no }. Let ip be 
a consistent formula. By way of contradiction, assume that ip is unsatisfiable. We reduce 
the formula ip to an equivalent formula in the language of real closed fields. Let u±, . . . , u nh , 
v 1 , . . . , v no , x u . . . , x nh , yi, . . . , y no , and z\ , . . . , z\ , . . . , . . . ,z%° be new variables, where, 
intuitively, 

• Ui gets value 1 if hypothesis hi holds, otherwise; 

• Vi gets value 1 if observation obi holds, otherwise; 

• Xi represents Pr°(/ij); 

• yi represents Pr(/ij); 

• Zij represents w(obi,hj). 

Let v represent that list of new variables. Consider the following formulas. Let <p h be the 
formula saying that exactly one hypothesis holds: 

(ui = V ui = 1) A ■ ■ ■ A (u nh = V u nh = 1) A ui H h u nh = 1. 

Similarly, let p D be the formula saying that exactly one observation holds: 

(Vl = V Ui = 1) A • • • A (v no = V V nh = 1) A Vl + ■ ■ ■ + V Uh = 1. 

Let (p pr be the formula that expresses that Pr° is a probability measure: 
tp pr = x\ > OA-- - A i„ h > A x\ + • • • + x nh = 1. 

Similarly, let (p po be the formula that expresses that Pr is a probability measure: 

•P V o = Vi > A • • • A y nh > A y 1 H h y nh = 1. 

Finally, we need formulas saying that w is a weight of evidence function. The formula 
simply says that w satisfies WF1, that is, it acts as a probability measure for a fixed 
observation: 

zi,i > A ■ ■ ■ A zi, nh > A z noj i > OA-- - A z no:Tlh > OA 
^1,1 H h 2l,n h = 1 A • • • A z Uojl H h z„ OI „ h = 1. 

The formula says that w satisfies WF2: 

3wi, . . .,w„ (wi > A • • • A w no > A z 1 , 1 w 1 H h z rioi iw„ = 1A 

• • • A zi, nh u/i H h z noi „ h u; no = 1) 
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where w±, . . . , w Uo are new variables. 

Finally, the formula p WiUp captures the fact that weights of evidence can be viewed as up- 
dating a prior probability into a posterior probability, via Dempster's Rule of Combination: 

(vi = l=> (xizi,i = y\x\z\^ H V yix nh z 1>nh A 

• • • A x nh z liTlh = y nh xiz 1A H h y nh x nh z ljnh ))A 

•••A 

{v no = l=> {xiZ noil = yiX!Z nojl H h yiX nh Z nojnh A 

A X nh Z notnh = ynyX\Z no ^\ + . . . yn^Xn^n a ,nh)) ■ 

Let ip be the formula in the language of real closed fields obtained from p by replacing 
each occurrence of the primitive proposition hi by U{ = 1, each occurrence of obi by Vi = 
1, each occurrence of Pr°(p) by X^elp] Xi, each occurrence of Pr(p) by X^e^] 2/i> each 

occurrence of w(obi, hj) by Zij, and each occurrence of an integer coefficient k by 1 H h 1 

(A; times). Finally, let <// be the formula 3v(y h Ap„ A ip pr A p po A ip WiP A ip wJ A p> w , up A ip). 

It is easy to see that if p is unsatisfiable over evidential worlds, then <p' is false when 
interpreted over the real numbers. Therefore, -up' must be a formula valid in real closed 
fields, and hence an instance of RCF. Thus, -up 1 is provable. It is straightforward to show, 
using Lemma A. 3, that -up itself is provable, contradicting the fact that ip is consistent. 
Thus, ip must be satisfiable, establishing completeness. □ 

As we mentioned at the beginning of Section 5, CJ°' ev is not monotone with respect to 
validity: axiom HI depends on the set of hypotheses and observations, and will in general 
no longer be valid if the set is changed. The same is true for Ol, E3, and E4. We do, 
however, have a form of monotonicity with respect to satisfiability, as the following lemma 
shows. 

Lemma A. 4: Given $h and <3? , let p be a formula of U°' ev {^^, $ Q ); and let H C $ h 
and O C <I> be the hypotheses and observations that occur in p. If p is satisfiable in an 
evidential world over $h and $ Q , then p> is satisfiable in an evidential world over <£' h and 
where |$'J = \H\ + 1 and \& \ = \0\ + 1. 

Proof. We do this in two steps, to clarify the presentation. First, we show that we can 
add a single hypothesis and observation to $h an d and preserve satisfiability of p. This 
means that the second step below can assume that 3>h 7^ ~H and <I> 7^ O. Assume that 
p> is satisfied in an evidential world w = (h, ob,[i,£) over $h an d ^o, so that there exists 
v such that (w,v) \= p. Let $' h = <&h U {h*}, where h* is a new hypothesis not in <I>h, 
and let &' Q = $ U {ob*}, where ob* is a new observation not in <£ . Define the evidential 
world w' = (h, ob,n',£') over $' h and & , where £' and // are defined as follows. Define the 
probability measure \s! by taking: 



Ah) 



fi(h) if h € $ h 
iih = h*. 



27 



HALPERN & PUCELLA 



Similarly, define the evidence space £' = (${,, & Q , fi') derived from £ = (<J>h, <I> , fi) by taking: 



Hh{ob) if h G $ h and 06 € $ 

if h G $ h and 06 = o&* 

[{ h = h* and 06 € $ 

1 ii h = h* and 06 G o&* 



Thus, ^ extends the existing /x^ by assigning a probability of to the new observation ob*; 
in contrast, the new probability p' h , assigns probability 1 to the new observation ob* . We 
can check that (w',v) \= ip. 

The second step is to "collapse" all the hypotheses and observations that do not appear 
in p into one of the hypotheses that do not appear in Ti and O, which by the previous step 
are guaranteed to exist. By the previous step, we can assume that 3>h 7^ TL and $ Q ^ O. 
Assume ip is satisfiable in an evidential world w = (h,ob,p,£) over $h and 'I'o, that is, 
there exists v such that (w, v) \= <p. Pick an hypothesis and an observation from $h and $0 
as follows, depending on the hypothesis h and observation ob in w. Let h< be h if h £ TL, 
otherwise, let be an arbitrary element of <I>h — TL; let 3>' h = TL U {h)}. Similarly, let ob 1 
be ob if ob G" O, otherwise, let ob^ be an arbitrary element of <I>o — O; let & = O U {ob^}. 
Let w' = (h, ob,p' ,£') be an evidential world over <£' h and & obtained from w as follows. 
Define the probability measure p! by taking: 



Ah) 



a hen 



Define £' = (<J>' h , & , /*') derived from £ = (<J> h , $0, A 4 ) by taking: 



Vh(ob) 

Eob'eQo-oVhiob') 
T,h'e^-n Vh>(ob) 



if and 06 GO 

ii h Eli, and o5 = 06^ 
if /i = /it and ob £ O 
\i h = and 06 = 06^. 



We can check by induction that (w',v) \= ip. 



□ 



Theorem 5.1: There is a procedure that runs in space exponential in \ip\ \\ip\\ for deciding, 
given $h and whether a formula (p of £f°~ ev (&h, <3? ) is satisfiable in an evidential world. 

Proof. Let ip be a formula of £f°~ ev ($h, $ Q ). By Lemma A. 4, <p is satisfiable if we can 
construct a probability measure /i on $' h = TL U {/i*} (where W is the set of hypotheses 
appearing in 99, and h* £ TL) and probability measures ph x , ■ ■ ■ -,^h m on = U {°^*} 
(where O is the set of observations appearing in ip and ob* O) such that £ = (<J>' h , /*), 
u> = (h, ob,p,£) with (u>, v) \= p for some h, ob, and i>. 

The aim now is to derive a formula p' in the language of real closed fields that asserts 
the existence of these probability measures. More precisely, we can adapt the construction 
of the formula <p' from tp in the proof of Theorem 4.1. The one change we need to make 
is ensure that tp' is polynomial in the size of tp, which the construction in the proof of 
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Theorem 4.1 does not guarantee. The culprit is the fact that we encode integer constants k 
as 1 + • • • + 1. It is straightforward to modify the construction so that we use a more efficient 
representation of integer constants, namely, a binary representation. For example, we can 
write 42 as 2(1 + 2 2 (1 + 2 2 )), which can be expressed in the language of real closed fields as 
(1 + 1)(1 + (1 + 1)(1 + 1)(1 + (1 + 1)(1 + 1))). We can check that if k is a coefficient of length 
k (when written in binary), it can be written as a term of length 0(k) in the language of 
real closed fields. Thus, we modify the construction of <p' in the proof of Theorem 4.1 so 
that integer constants k are represented using the above binary encoding. It is easy to see 
that \ip'\ is polynomial in \ip\ \\(p\\ (since |<J?(J and \<&' \ are both polynomial in \ip\). We can 
now use the exponential-space algorithm of Ben-Or, Kozen, and Reif (1986) on ip': if ip' is 
satisfiable, then we can construct the required probability measures, and ip is satisfiable; 
otherwise, no such probability measures exist, and p is unsatisfiable. □ 

Theorem 5.2: There is a procedure that runs in space exponential in \ip\ \\(p\\ for deciding 
whether there exist sets of primitive propositions $h and <£ such that ip € £f°~ ev (&h, $o) 
and <p is satisfiable in an evidential world. 

Proof. Let hi, ... , h m be the hypotheses appearing in <p, and obi, ■ ■ ■ , ob n be the hypotheses 
appearing in ip. Let $h = {hi, ■ ■ ■ , h m , h*} and <£ = {obi, ■ ■ ■ , ob n , ob*}, where h* and ob* 
are an hypothesis and observation not appearing in ip. Clearly, |3>h| an d |^o| are polynomial 
in \ip\. By Lemma A. 4, if <p is satisfiable in an evidential world, it is satisfiable in an evidential 
world over <3?h and By Theorem 5.1, we have an algorithm to determine if ip is satisfied 
in an evidential world over <E>h and <3? that runs in space exponential in \<p\ \\<p\\. □ 

Theorem 5.3: There is a procedure that runs in space polynomial in \ip\ \\ip\\ for deciding, 
given <I>h and & , whether a formula ip of £ ev (&h, <3? ) is satisfiable in an evidential world. 

Proof. The proof of this result is very similar to that of Theorem 5.1. Let ip be a formula 
of £ ev (&h, & Q ). By Lemma A. 4, ip is satisfiable if there exists a probability measure fi on 

= TL U {h*} (where 7i is the set of hypotheses appearing in ip, and h* £ H), probability 
measures fj,^ , ■ ■ ■ , Hh m on = O U {ob*} (where O is the set of observations appearing in 
(p and ob* O), a hypothesis h, observation o, and valuation v such that (w, v) \= ip, where 
w = (h, ob,Li,£) and £ = ($' h , & , fx). 

We derive a formula ip' in the language of real closed fields that asserts the existence 
of these probability measures by adapting the construction of the formula ip 1 from ip in 
the proof of Theorem 4.1. As in the proof of Theorem 5.1, we need to make sure that ip' 
is polynomial in the size of ip, which the construction in the proof of Theorem 4.1 does 
not guarantee. We modify the construction so that we use a more efficient representation 
of integer constants, namely, a binary representation. For example, we can write 42 as 
2(1 + 2 2 (1 + 2 2 )), which can be expressed in the language of real closed fields as (1 + 1)(1 + 
(1 + 1)(1 + 1)(1 + (1 + 1)(1 + 1))). We can check that if k is a coefficient of length k 
(when written in binary), it can be written as a term of length O(k) in the language of 
real closed fields. We modify the construction of <p' in the proof of Theorem 4.1 so that 
integer constants k are represented using this binary encoding. It is easy to see that \ip'\ is 
polynomial in \<p\ \\(p\\ (since |3>'J and \$' \ are both polynomial in \<p\). The key now is to 
notice that the resulting formula ip' can be written as 3xi . . . 3x n (ip") for some quantifier- 
free formula ip". In this form, we can apply the polynomial space algorithm of Canny (1988) 
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to if": if ip" is satisfiable, then we can construct the required probability measures, and ip 
is satisfiable; otherwise, no such probability measures exist, and ip is unsatisfiable. □ 

Theorem 5.4: There is a procedure that runs in space polynomial in \ip\ \\ip\\ for deciding 
whether there exists sets of primitive propositions $h an d such that p € £ ev (&h, <& ) and 
ip is satisfiable in an evidential world. 

Proof. Let hi, ... , h m be the hypotheses appearing in ip, and 061, . . . , ob n be the hypotheses 
appearing in ip. Let <I>h = {hi, . . . , h rn , h*} and <& = {061, . . . , ob n , ob*}, where h* and ob* 
are an hypothesis and observation not appearing in ip. Clearly, |$h| an d |$ | are polynomial 
in \ ip\. By Lemma A. 4, if ip is satisfiable in an evidential world, it is satisfiable in an evidential 
world over <I>h and <J> . By Theorem 5.3, we have an algorithm to determine if ip is satisfied 
in an evidential world over $h an d $0 that runs in space polynomial in \<p\ \\<p\\. □ 

The proofs of Theorem 6.1 and 6.2 rely on the following small model result, a variation 
on Lemma A. 4. 

Lemma A. 5: Given <I>h and <E> 0; let ip be a formula of u°~ ev ($k,& ), and let Ti C $ h 
and O C <I> be the hypotheses and observations that occur in ip. If ip is satisfiable in an 
evidential world over <E>h and <S> , then ip is satisfiable in an evidential world over <I>' h and 
& Q where |<&'J = \H\ + 1 and \& \ = \0\ + 1, and where, for each h € <E>' h and ob € <fr' , the 
likelihood fJ,h{ 00 ) is a rational number with size 0(\(p\ \\ip\\ + \ip\ log(|<^|)). 

Proof. Let ip be a formula satisfiable in an evidential world over <I>h and <5 - By Lemma A. 4, 
ip is satisfiable in an evidential world over <&' h and &' Q , where \<&' h \ = \7i\+l and \<fr' \ = \0\ + l. 
To force the likelihoods to be small, we adapt Theorem 2.6 in FHM, which says that 
if a formula / in the FHM logic is satisfiable, it is satisfiable in a structure where the 
probability assigned to each state of the structure is a rational number with size 0(|/| ||/|| + 
\f\ log(|/|)). The formulas in C w (& h ,& ) are just formulas in the FHM logic. The result 
adapts immediately, and yields the required bounds for the size of the likelihoods. □ 

Theorem 6.1: The problem of deciding, given $h an d &o, whether a formula ip of C w (&h, <£ ) 
is satisfiable in an evidential world is NP-complete. 

Proof. To establish the lower bound, observe that we can reduce propositional satisfiability 
to satisfiability in £ w (&b, <I> ). More precisely, let / be a propositional formula, where 
pi, ■ ■ ■ ,p n are the primitive propositions appearing in /. Let <I>o = {obi, ■ ■ ■ , ob n , ob*} be 
a set of observations, where observation obi corresponds to the primitive proposition pi, 
and ob* is another (distinct) observation; let <E>h be an arbitrary set of hypotheses, and let 
h be an arbitrary hypothesis in <I>h- Consider the formula / obtained by replacing every 
occurrence of pi in / by w(obi,h) > 0. It is straightforward to verify that / is satisfiable 
if and only if / is satisfiable in £ w ($>h,$> ). (We need the extra observation ob* to take 
care of the case / is satisfiable in a a model where each of pi, . . . ,p n is false. In that case, 
w(obi,h) = ■■■w(ob n ,h) = 0, but we can take w(ob*,h) = 1.) This establishes the lower 
bound, 

The upper bound is straightforward. By Lemma A. 5, an evidential world over $h and 
$0 can be guessed in time polynomial in |3>h| + |3> Q | + \ip\ \\(p\\, since the prior probability 
in the world requires assigning a value to |3>h| hypotheses, and the evidence space requires 



30 



A Logic for Reasoning about Evidence 



|$h| likelihood functions, each assigning a value to |<3? | observations, of size polynomial in 
\(p\ \\(p\\. We can verify that a world satisfies p in time polynomial in \ip\ \\ip\\ + |$h| + |^h|- 
This establishes that the problem is in NP. □ 

Theorem 6.2: The problem of deciding, for a formula p, whether there exists sets of 
primitive propositions <E>h and <E> such that p G £ w ($h,$ ) and ip is satisfiable in an 
evidential world is NP-complete. 

Proof. For the lower bound, we reduce from the decision problem of C w (&h, over fixed 
<I>h and <£ . Let <3?h = {hi, . . . , h m } and <E> = {obi, ■ ■ ■ , ob n }, and let ip be a formula in 
£ w (&h, <I> ). We can check that <p is satisfiable in evidential world over <&h and & Q if and 
only if (p/\(hi V • • ■ V/i m ) A (061 V • • • V o6 n ) is satisfiable in an evidential world over arbitrary 
<3?' h and & . Thus, by Theorem 6.1, we get our lower bound. 

For the upper bound, by Lemma A. 5, if ip is satisfiable, it is satisfiable in an evidential 
world over $h and $ , where <3?h = TL U {h*}, 7i consists of the hypotheses appearing in ip, 
<£ = O U {ob*}, O consists of the observations appearing in p, and h* and ob* are new 
hypotheses and observations. Thus, |<J>h| < M + 1> and l^o| < M + 1- As in the proof of 
Theorem 6.1, such a world can be guessed in time polynomial in \ip\ \\ip\\ + |$h| + \&o\, and 
therefore in time polynomial in \p\ \\<p\\. We can verify that this world satisfies <p in time 
polynomial in \(p\ \\(p\\, establishing that the problem is in NP. □ 

Theorem 7.1: AXd yn (^h,^o) is a sound and complete axiomatization for C?^ n (^hj$o) 
with respect to evidential runs. 

Proof. It is easy to see that each axiom is valid in evidential runs. To prove completeness, we 
follow the same procedure as in the proof of Theorem 4.1, showing that if ip is consistent, 
then it is satisfiable, that is, there exists an evidential run r and valuation v such that 
(r, m, v) |= p for some point (r, m) of r. 

As in the body of the paper, let <E>h = {hi, . . . , h nh } and <3? = {061, . . . , ob Uo }. Let p be 
a consistent formula. The first step of the process is to reduce the formula <p to a canonical 
form with respect to the O operator. Intuitively, we push down every occurrence of a O to 
the polynomial inequality formulas present in the formula. It is easy to see that axioms and 
inference rules T1-T6 can be used to establish that p is provably equivalent to a formula 
ip 1 where every occurrence of O is i n the form of subformulas Q n (ob) and Q n (p > c), where 
p is a polynomial term that contains at least one occurrence of the Pr operator. We use the 
notation O n ip for O • • • Of, the n-fold application of O to p. We write OV f° r V- L e t N 
be the maximum coefficient of O i n ¥>' '■ 

By way of contradiction, assume that <p' (and hence p) is unsatisfiable. As in the proof 
of Theorem 4.1, we reduce the formula <p' to an equivalent formula in the language of real 
closed fields. Let ui,...,u nh , v\, . . . , v° o , . . . , vf , . . . , v% o , y\, . . . , y° o , . . . , yf , . . . , y^, and 
^<ii,...,i fc ),i,---,^(ii,...,i fc >,Ti h ( for ever Y sequence (ii,...,i k )) be new variables, where, intu- 
itively, 

• Ui gets value 1 if hypothesis hi holds, otherwise; 

• vf gets value 1 if observation obi holds at time n, otherwise; 

• yf represents Pr(/ij) at time n; 
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• z (h,...,i k ),j represents w((ob H , . . . ,ob* k ),hj). 

The main difference with the construction in the proof of Theorem 4.1 is that we have vari- 
ables v " representing the observations at every time step n, rather than variables represent- 
ing observations at the only time step, variables yf representing each hypothesis probability 
at every time step, rather than variables representing prior and posterior probabilities, and 
variables z^,...,^^ representing the weight of evidence of sequences of observations, rather 
than variables representing the weight of evidence of single observations. Let v represent 
that list of new variables. We consider the same formulas as in the proof of Theorem 4.1, 
modified to account for the new variables, and the fact that we are reasoning over multiple 
time steps. More specifically, the formula ip h is unchanged. Instead of ip a , we consider for- 
mulas ip],..., ip^ saying that exactly one observation holds at each time time step, where 
ip™ is given by: 

« = 0V< = l)A---AK o =0V< =l)A< + ---+< =1. 

Let ip' a = <p] A • • • A tfl. 

Similarly, instead of (p pr and p> po , we consider formulas ip^ , . . . , tp^ expressing that Pr is 
a probability measure at each time step, where ip p is given by: 

y?>0A---A<>0A^ + ---+< = l. 

Let ip p = ipl A • • • A <p". 

Similarly, we consider <p WtP and <p w j, except where we replace variables Zij by to 
reflect the fact that we now consider sequences of observations. The formula (p w , up , capturing 
the update of a prior probability into a posterior probability given by E5, is replaced by 
the formulas v?* , . . . , f^ np representing the update of the probability at each time step, 
where <pP is given by the obvious generalization of <p w , up : 

K = i (yr^i,i = yiVi' 1 ^,! + ■■■ + vivV^ a 



n h 

A vV z m = VlJl ^ + ■■■ + «"^i,n h ))A 



A 



« = 1 (yr'zno,! = y^r^no,! + ■■■ + V^^n, A 



n h lz n a ,n h — Vn^Vl z n ,l + • • • Un^ut, lz n a ,n h ))- 



Let <p' = Lp l A ■ ■ ■ A <p N . 

r w , up I w , up i w , up 

Finally, we need a new formula (p WyC capturing the relationship between the weight 
of evidence of a sequence of observations, and the weight of evidence of the individual 
observations, to capture axiom E6: 



f\ z (h)M ' " " z (i k )M ~ z (h,-,i k )M Z (ii)M ' " z 



{ik)M 



,J^ N <n + ' • • + Z (h,-,i k )M Z (hhhn h ■ • • Z (i k ),hn h A 

l<?i,...,ifc<n n n 

'"'A f\ z (h),h nh ' • • z (i k ),h nh = z (ii,...,i k ),hn h z {h),hi ' ' ' z (i k )M 



Kk<N 



l<u7-Sfe<rio ~ l ^ Z ( i i>---> i k)> h "b Z {ii)frn h ' ' ' z {i k ),h„ h 



32 



A Logic for Reasoning about Evidence 



Let (p be the formula in the language of real closed fields obtained from p by replacing 
each occurrence of the primitive proposition hi by Ui = 1, each occurrence of Q n obi by 
vf = 1, and within each polynomial inequality formula Q n (p > c), replacing each occurrence 
of Pr(p) by E^e[ p ]y l n > eacn occurrence of w((ob 11 , . . . , ob lk ), hj) by z {i ^_, lk)tj , and each 

occurrence of an integer coefficient k by H hi (k times). Finally, let p' be the formula 

3v(p h A p' o A p p A </2 TO , p A A (p' w up A (^.c A <£). 

It is easy to see that if p is unsatisfiable over evidential systems, then p' is false about 
the real numbers. Therefore, -up' must be a formula valid in real closed fields, and hence an 
instance of RCF. Thus, -up' is provable. It is straightforward to show, using the obvious 
variant of Lemma A. 3 that —up itself is provable, contradicting the fact that p is consistent. 
Thus, p must be satisfiable, establishing completeness. □ 
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